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Motivation 


Distributed  algorithms  have  always  been  important 

•  FileSystems,  Resource  Allocation,  Internet,  ... 


Increasingly  becoming  safety-critical 

•  Robotic,  transportation,  energy,  medical 


Prove  correctness  of  distributed  algorithm 
implementations 

•  Pseudo-code  is  verified  manually  (semantic  gap) 

•  Implementations  are  heavily  tested  (low  coverage) 


Model-Driven  Verifying  Compilation  of  Synchronous  Distributed  Applications, 
Sagar  Chaki,  James  Edmondson,  Proc.  of  MODELS  2014,  to  appear 
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Approach  :  Verification  +  Code  Generation 


Program  in  Domain  Specific  Language 

i 

I - - - 1 


Distributed 

Application 


Safety 

Specification 


Debug  Application, 
Refine  Specification 


Run  on  Physical 
Device 


Run  within 
simulator 


The  Verifying  Compiler: 
A  Grand  Challenge  for 
computing  research 


Tony  Hoare 
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Verification 


Program  in  Domain  Specific  Language 

i 

I - " - 1 
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Model  Checking 


Automatic  verification  technique  for  finite 
state  concurrent  systems. 


•  Developed  independently  by  Clarke  and 
Emerson  and  by  Queille  and  Sifakis  in 
early  1980’s. 

•  ACM  Turing  Award  2007 

Specifications  are  written  in  propositional 
temporal  logic.  (Pnueli  77) 

•  Computation  Tree  Logic  (CTL),  Linear 
Temporal  Logic  (LTL),  ... 

Verification  procedure  is  an  intelligent 
exhaustive  search  of  the  state  space  of 
the  design 
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Code  Generation 


Program  in  Domain  Specific  Language 


MADARA  Middleware 


A  database  of  facts:  DB  =  Var  >-> 
Value 

Node  i  has  a  local  copy:  DBi 

•  update  DBi  arbitrarily 

•  publish  new  variable  mappings 

•  Immediate  or  delayed 

•  Multiple  variable  mappings 
transmitted  atomically 

Implicit  “receive”  thread  on  each  node 

•  Receives  and  processes  variable 
updates  from  other  nodes 

•  Updates  ordered  via  Lamport 
clocks 

Portable  to  different  OSes  (Windows, 
Linux,  Android  etc.)  and  networking 
technology  (TCP/IP,  UDP,  DDS  etc.) 
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Case  Study:  Synchronous 
Collision  Avoidance 
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Example:  Synchronous  Collision  Avoidance 
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Example:  Synchronous  Collision  Avoidance 


Example:  Synchronous  Collision  Avoidance 


(0,3) 


(3,3) 


Reservation 
Contention 
Resolved  based 
on  Node  ID.  No 
collision 
possible  if  no 
over-booking. 


(0,0) 


(3,0) 
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Collision  Avoidance  Protocol 


next  coordinate 
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Synchronous  Collision  Avoidance  Code 


NODE  uqv  (id) 

{ 

GLOBAL  bool  lock  [X][Y][#N]; 
LOCAL  int  state,x(y,xp,yp,xf ,yf; 
void  NEXT_XY  ()  {  ...  } 
void  ROUND  ()  { 
if  (state  ==  NEXT)  {  ... 
state  =  REQUEST; 

}  else  if  (state  ==  REQUEST)  {  ... 

state  =  WAITING; 

}  else  if  (state  ==  WAITING)  {  ... 

state  =  MOVE; 

}  else  if  (state  ==  MOVE)  {  ... 

state  =  NEXT; 

}}} 
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INIT 

{ 

FORALL_NODE(id) 
state,  id  =  NEXT; 

//assign  x.id  and  y.id  non-deterministically 
//assume  they  are  within  the  correct  range 
//assign  lock[x.id][y.id][id]  appropriately 

//nodes  don't  collide  initially 
FORALL_DISTINCT_NODE_PAIR  (idl,id2) 
ASSUME(x.idl  !=  x.id2  1 1  y.idl  !=  y.id2); 

} 

SAFETY { 

FORALL_DISTINCT_NODE_PAIR  (idl,id2) 
ASSERT(x.idl  !=  x.id2  1 1  y.idl  !=  y.id2); 

} 


MOC_SYNC; 

CONST  X  =  4;  CONST  y  =  4; 
CONST  NEXT  =  0; 

CONST  REQUEST  =  1; 
CONST  WAITING  =  2; 
CONST  MOVE  =  3; 

EXTERN  int 

MOVE_TO  (unsigned  char  x, 
unsigned  char  y); 

NODE  uav  (id)  {  ...  } 

void  INIT  ()  {  ...  } 

void  SAFETY  {  ...  } 


Synchronous  Collision  Avoidance  Code 


if  (state  ==  NEXT)  { 

//compute  next  point  on  route 
if  (x  ==  xf  &&  y  ==  yf )  return; 

NEXT_XY(); 
state  =  REQUEST; 

}  else  if  (state  ==  REQUEST)  { 

//request  the  lock  but  only  if  it  is  free 
if(EXISTS_OTHER(idp(lock[xp][yp][idp]  !=  0))  return; 


else  if  (state  ==  MOVE)  { 

//now  we  have  the  lock  on  (xp,yp) 
if(MOVE_TO())  return; 
lock[x  ][y][id]  =  0; 
x  =  xp;  y  =  yp; 
state  =  NEXT; 


lock[xp][yp][id]  =  1; 
state  =  WAITING; 

}  else  if  (state  ==  WAITING)  { 

//grab  the  lock  if  we  are  the  highest 
//id  node  to  request  or  hold  the  lock 
if(EXISTS_HIGHER(idp,  lock[xp][yp][idp]  !=  0))  return; 
state  =  MOVE; 


Tool  Usage 


Project  webpage  (http://mcda.qooqlecode.com) 

•  Tutorial  (https://code.qooqle.eom/p/mcda/wiki/Tutorial) 

Verification 

•  daslc  —nodes  3  — seq  — rounds  3  — seq-dbl  —out  tutorial-02.c  tutorial- 
02.dasl 

•  cbmc  tutorial-02. c  (takes  about  10s  to  verify) 

Code  generation  &  simulation 

•  daslc  —nodes  3  — madara  — vrep  —out  tutorial-02.cpp  tutorial-02.dasl 

•  g++ ... 

•  mcda-vrep.sh  3  outdir  ./tutorial-02  ... 
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Demonstration:  Synchronous 
Collision  Avoidance 
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